The present invention relates to techniques for verifying that an applicant is a member of a group having predetermined privileges without explicitly listing the members of the group.
In many computer and security systems, it is desirable to restrict access or privileges to a specified resource or a secure area to certain individuals. For example, it is necessary in certain situations to limit access to a secure area only to certain privileged individuals who require such access. Further, in other applications it is necessary or desirable to limit access or rights with respect to certain files, directories, databases, web pages or other computer resources to specific individuals within a defined group. Typically, the identification of the individuals or applicants who are "privileged" members of the group having access to the specified resource is accomplished by identifying the individuals that have access privileges in an access control list or in a group membership list. The applicants may, in differing applications constitute individuals, or alternatively, computer or electronic devices. The use of access control lists (containing an identification of group members along with their respective access rights) and group membership lists (containing an identification of group members) have certain disadvantages. Such lists must be kept current. The maintenance of such lists can be a formidable task for a large organization or community in which the legitimate members of the group change as a matter of course or access rights for the respective members vary over time.
It would therefore be desirable in certain applications to be able to determine whether an individual or applicant is a member of a group having the right of access to a resource without explicitly listing the members of the group. It would also be desirable to be able to perform this function in a secure manner so that an access granting authority can assure that unauthorized applicants are not improperly granted access to the resource.